The exact security of digital signatures: How to sign with RSA and
Rabin

Authors: M. Bellare and P. Rogaway

Abstract: We describe an RSA-based signing scheme called PSS which
combines essentially optimal efficiency with attractive security
properties. Signing takes one RSA decryption plus some hashing, verification
takes one RSA encryption plus some hashing, and the size of the signature is
the size of the modulus. Assuming the underlying hash functions are ideal, our
schemes are not only provably secure, but are so in a tight way--- an
ability to forge signatures with a certain amount of computational resources
implies the ability to invert RSA (on the same size modulus) with about the
same computational effort. Furthermore, we provide a second scheme which
maintains all of the above features and in addition provides message
recovery. These ideas extend to provide schemes for Rabin signatures with
analogous properties; in particular their security can be tightly related to
the hardness of factoring.